CVE-2021-20649 - OpenCVE

ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elecom	Wrc-300febk-s Wrc-300febk-s Firmware

Configuration 1 [-]

AND

cpe:2.3:o:elecom:wrc-300febk-s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:elecom:wrc-300febk-s:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://jvn.jp/en/jp/JVN47580234/index.html
https://www.elecom.co.jp/news/security/20210126-01/

History

No history.

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2021-02-12T06:15:50

Updated: 2024-08-03T17:45:45.385Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20649

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-02-12T07:15:15.387

Modified: 2021-02-15T01:26:09.573

Link: CVE-2021-20649

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "WRC-300FEBK-S", "vendor": "ELECOM CO.,LTD.", "versions": [{"status": "affected", "version": "WRC-300FEBK-S"}]}], "descriptions": [{"lang": "en", "value": "ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device."}], "problemTypes": [{"descriptions": [{"description": "Improper certificate validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-12T06:15:50", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.elecom.co.jp/news/security/20210126-01/"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2021-20649", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WRC-300FEBK-S", "version": {"version_data": [{"version_value": "WRC-300FEBK-S"}]}}]}, "vendor_name": "ELECOM CO.,LTD."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper certificate validation"}]}]}, "references": {"reference_data": [{"name": "https://www.elecom.co.jp/news/security/20210126-01/", "refsource": "MISC", "url": "https://www.elecom.co.jp/news/security/20210126-01/"}, {"name": "https://jvn.jp/en/jp/JVN47580234/index.html", "refsource": "MISC", "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:45:45.385Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.elecom.co.jp/news/security/20210126-01/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}]}]}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2021-20649", "datePublished": "2021-02-12T06:15:50", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-03T17:45:45.385Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:elecom:wrc-300febk-s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BBD41BED-6FB3-4F62-BFCC-C73927375E9E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:elecom:wrc-300febk-s:-:*:*:*:*:*:*:*", "matchCriteriaId": "77EFC8AE-44A0-4ED5-AC46-13CA56313EEB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ELECOM WRC-300FEBK-S contains an improper certificate validation vulnerability. Via a man-in-the-middle attack, an attacker may alter the communication response. As a result, an arbitrary OS command may be executed on the affected device."}, {"lang": "es", "value": "ELECOM WRC-300FEBK-S, contiene una vulnerabilidad de comprobaci\u00f3n de certificado inapropiada. Mediante un ataque man-in-the-middle, un atacante puede alterar la respuesta de comunicaci\u00f3n. Como resultado, se puede ejecutar un comando arbitrario del sistema operativo en el dispositivo afectado"}], "id": "CVE-2021-20649", "lastModified": "2021-02-15T01:26:09.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-12T07:15:15.387", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN47580234/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.elecom.co.jp/news/security/20210126-01/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}